/
Minimum Baseline Security Standard for OpenMRS (MBSS)

Minimum Baseline Security Standard for OpenMRS (MBSS)

Best Practices and Security Considerations Document 
This document outlines the  Minimum Baseline Security Standard (MBSS) where the core security principles and best practices tailored specifically for OpenMRS implementations are defined. It covers essential areas including network security, server hardening, data protection, authentication and authorization.

This work was contributed by IntelliSOFT Consulting Ltd. in September 2024 thanks to a generous grant from Digital Square for CyberSecurity improvement work, organized by OpenMRS Inc.

Table of Contents

Abbreviation/Acronym

Definition

AAA

Authentication, Authorization, and Accounting

API

Application Programming Interface

DNS

Domain Name System

HTTP

Hypertext Transfer Protocol

HTTPS

Hypertext Transfer Protocol Secure

NTP

Network Time Protocol

REST

Representational State Transfer

SOAP

Simple Object Access Protocol

TTL

Time-to-Live

TLS

Transport Layer Security

JWT

JSON Web Token

LDAP

Lightweight Directory Access Protocol

Introduction

With the increasing number of systems, services, and integrations that organizations implementing the OpenMRS system continue to deploy within their environments, it is mandatory to define a minimum security baseline required to ensure that all services respond to a minimum level of assurance and none of which will impose a threat to the system and\network, thereby affecting the availability of the OpenMRS services. The minimum baseline standards provide a point of reference for all the stakeholders interacting with the platform allowing the system developers, administrator and integrators to incorporate security measures by design in the implementation of the OpenMRS system. 

The minimum baseline standard lays the guardrails for incorporating the three fundamental principles of information security in the implementation of the OpenMRS system as defined below:

  1. Confidentiality: Protecting sensitive information from unauthorized access, disclosure, or misuse. This ensures that only those with legitimate business needs can view or use data.

  2. Integrity: Maintaining the accuracy and completeness of information. This prevents data from being modified, destroyed, or corrupted.

  3. Availability: Ensuring that information and systems are accessible when needed. This prevents disruptions to business operations due to system failure or cyberattacks.

The document addresses different areas of interest in the implementation of the OpenMRS system including: 

  • Operating Systems and Platform Configurations 

  • System Security Architecture

  • Accountability

  • Access Control 

  • Data Security and Privacy 

  • Third-Party Security 

  • Application and API Security 

 

Scope Questionnaire 

The scope questionnaire allows the end user of the minimum baseline standards and the policy administrators to effectively determine the boundaries of  application of the standards based on the deployment environment and/or the service being integrated and/or the implementing parties 

No.

Question

Answer (YES/NO)

Instructions

1

Does the project process, store, and/or transfer personal data, sensitive or confidential data?

 

 

Please also answer the Data Privacy and Data Protection worksheets

2

Does the solution provide or access an API(s) either internally or externally using HTTP-based interfaces such as SOAP, REST, or JSON?

 

Please also answer the Application and API worksheet

3

Is the solution partially or fully hosted in a cloud?

 

 

4

Is any 3rd party company involved in one or more of the following activities:

  • development

  • maintenance/operations

  • integration

  • testing

  • support

  • data processor

  • joint venture

 

 

 

 

Secure Network and Physical Environment

 

No.

Question

Answer (YES/NO)

Instructions

1

Has the hosting server(s) been secured in a locked rack or an area with restricted access?

 

 

2

Has all the non-removable media been configured with file systems with access controls enabled?

 

 

3

Has the server(s) been set up in an environment with appropriately restricted network access. ?

 

 

4

Has the server(s) been set up to display a trespassing banner at login. ?

 

 

 

Patching/ Server Maintenance

System Hardening Features

System hardening is the practice of reducing a system's vulnerability by reducing its attack surface. Hardening may involve a reduction in attack vectors by culling the pathways, or vectors, attackers would use. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Have all system components (OS, DB, applications, network devices) been hardened according to specified guidelines as well as specifications provided by the product manufacturer?

 

 

2

Have all servers and applications been configured to disable/prevent access by trusted communities and systems (such as the use of .rhosts and .shosts for UNIX)?

 

 

3

Have all software (OS, application, DB) packages and modules not required for this system been deactivated and removed (where possible) from the system?

 

 

4

Has an account been created with adequate permissions eg. With sudo rights to facilitate continuous compliance scans on all system components even after go-live

 

 

 

Patch Management and Vulnerability Reporting

The patch and vulnerability management program (PVMG) outlines the requirements for keeping the organization’s systems updated with the most current versions of their software. PVMG ensures that the organization installs remediation patches for known vulnerabilities and exposures. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Is the most recent version in use with the latest security patches/service packs applied across all components?

 

 

2

Have all patch and non-patch vulnerabilities been tested and remediated before the system go-live?

 

 

3

Has an exhaustive list of all the installed security patches and modifications been provided?

 

 

4

Does the supplier/vendor support the provision of Security patches for any Critical or high-risk vulnerabilities within 30 days of notification?

 

 

5

Is there a documented maintenance process to keep applications and operating systems at the latest practical patch levels? 

Where is it documented? ___________________________________

 

 

6

Is there a documented maintenance process that includes a reasonable timetable for the routine application of patches and patch clusters (service packs and patch rollups)?

 

 

7

Is there a  process to inventory the current level of patches specific to this server

 

 

8

Is there a process for monitoring patch installation failures

 

 

 

Security Logging

Logging refers to the practice of collecting events on security-related activities, such as user authentication, access control, and intrusion detection. The logs are essential for identifying and investigating potential security breaches, which may affect the availability, integrity, and confidentiality of information systems. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Is the server configured with appropriate real-time OS/application logging turned on.?

 

 

2

Does the system provide the capability to automatically forward audit logs to an external SIEM solution?

 

 

3

Has the integration to the monitoring platform/SIEM been configured and working?

 

 

4

Has the logging configuration been configured to include the following:

  • All authentication

  • Privilege escalation

  • User additions and deletions

  • Access control changes

  • Job schedule start-up

  • System integrity information

  • Correct log timestamps

 

 

5

Has the right timestamp for logging been configured?

 

 

6

Have the security log files protected against manual modification even by the super user and methods applied documented?

 

 

7

Has access to audit logs been safeguarded to prevent any possible misuse or compromise? Describe how this has been achieved.

 

 

System Integrity Controls

In order to ensure that the system functions in the way that it is designed to operate, the system security must be configured such that there is no interference with its operation configuration. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Have configurations to restrict changes to startup procedures been implemented?

 

 

2

Have all the unused services been disabled?

 

 

3

Has anti-virus software been installed on the hosting server

 

 

4

Has the server been configured behind the firewall/IPS?

 

 

5

Has the server been added to AAA servers?

 

 

6

If available, has the hardware-based system integrity control been enabled?

 

 

7

Has the authoritative source for NTP been configured?

 

 

8

Has the authoritative source for DNS been configured?

 

 

 

Vulnerability Assessment

This is the process through which the organization assesses its information security system for security weaknesses. Vulnerability assessment allows the organization to discover and remediate the identified vulnerabilities before taking the systems, platform, or application to production. 

 

 

No.

Question

Answer (YES/NO)

Instructions

1

Has a pre-production configuration or vulnerability assessment been performed on the server and its services?

 

 

2

Has a copy of the configuration and/or vulnerability assessment reports done at the initial server configuration been retained for possible future use by the ISO

 

 

3

Has the implementation ensured a passage for the vulnerability scanners?

 

 

4

Has the vulnerability assessment report been reviewed by the security and risk team and documented for future reference?

 

 

Backup, Restore, and Business Continuity

Backup is the process of copying information or processing status to a redundant system, service, device, or medium that can provide the needed processing capability when needed. Backups, restoration, and business continuity ensure that the organization continues to provide services even when its primary production site is unavailable. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Is there a definition of the backup plan according to the following four types of data:

  • System (Operating System and Applications) data

  • User Data (the data specific to each part of the system that is susceptible to being modified frequently)

  • Confidential Information (relating to the architecture of the network or subscribers)

  • Log (the set of traces on what is made on/from each part of the system).

 

 

 

2

Has the backup for the operational and mission-critical data been configured?

 

 

3

Has backup for all servers with operation critical data been documented?

 

 

 

4

Does the backup documentation include system and application restoration (including configurations) and data restoration procedures to support business continuity and disaster recovery planning?

 

 

5

Has there been defined a specific account for back-up and restore actions on the system, especially on database servers, with rights restricted to only the required actions (back-up and restore)?

 

 

6

Have all the backup / restore actions been restricted to a specific server with an account dedicated to this action?

 

 

7

Have passwords and login used for the backup/restore server been stored securely and encrypted while in transit?

 

 

8

Restoration backups are logically accessible 

 

 

9

Measures to transmit server back-ups securely have been put into place.

 

 

10

Back-up media is compliant with the Portable Media Security Standard

 

 

11

Are the mechanisms to protect the system against attacks described including how the system restricts access during an attack or system failure?

 

 

Data Security and Privacy 

Data privacy involves ensuring the proper usage, collection, retention, deletion, and storage of data. It involves putting various administrative and logical controls to ensure that data is only accessible to the right and intended users. Data security, on the other hand, combines policies, methods, and means to secure data while at rest, being processed in transit. Data security ensures that the data remains available, consistent, complete, and valid. In order to ensure privacy and anonymity, data must be de-identified rendering it useless in the hands of the unintended users and platforms. As illustrated in the figure below, this can be achieved through pseudonymization and anonymization.   The checklist provided below evaluates the provision for all the security controls on the data while at rest, in transit, or in processing. 

 

No.

Question

Answer (YES/NO)

Instructions

 

Data Security

 

 

1

Have technical measures been put in place to safeguard data security by validating input from users or other systems/applications via all interfaces? Describe

 

 

2

Is Critical / Confidential data secured while in storage or transmission by 256-bit or higher level of encryption?

 

 

3

Has the data/document been classified according to the data classification guideline/standard and marked with the right classification label?

 

 

4

Is the change of the classification labels restricted only to the security administrator?